NIS2 and NEN 7510 in healthcare: 4 questions and answers
Many Dutch healthcare organizations follow the NEN 7510 standard for cybersecurity. But how will NIS2 change the playing field? In this article, two of Secura's consultants update you.
... > NIS2 > NIS2 and NEN 7510 in healthcare: 4 questions and answers
NIS2 in Dutch healthcare: 4 questions and answers
Are you a CISO in the Dutch healthcare sector? Then you know that one of the biggest challenges is balancing between providing good care quickly and ensuring optimal security. 'A healthcare provider who needs to treat someone urgently doesn't want to have to log in with MFA,' says Niels van der Meij, Principal Security Consultant and IT auditor (RE) at Secura. He does a lot of work for the Dutch public sector, including healthcare.Van der Meij foresees more discussion about the tension between healthcare and security as NIS2, the new European cybersecurity directive, arrives. 'I expect that the standards from the Dutch NEN 7510 will become more heavily weighted and formalized now that they will also become mandatory from NIS2.'
What exactly does NIS2 mean for healthcare? How does NIS2 relate to NEN 7510? Van der Meij and his colleague Mario Sleegers, NIS2 expert, answer 4 questions about NIS2 for healthcare.
Niels van der Meij
Principal Security Consultant
Secura
A healthcare provider who needs to treat someone urgently does not want to have to log in with MFA. I expect the area of tension between security and healthcare will only increase with NIS2.
1. What is the main difference between NEN 7510 and NIS2?
NEN 7510 is a sector-related framework focused on Dutch healthcare organizations. NIS2 is an EU legal directive aimed at making critical organizations more cyber resilient, says RE auditor Van der Meij. He knows the NEN 7510 standards framework well.
'A hospital, to give an example, meets the requirements of NIS2 by becoming NEN 7510 compliant. Of course, you do not yet fully comply with NIS2 if you are NEN 7510 compliant. But if you can demonstrate through certification or an assurance report that follow this standard, that at least covers the basis for NIS2 compliance.' NEN 7510 certification is not mandatory under NIS2.
'There is no certification for NIS2,' Mario Sleegers, NIS2 consultant, adds. 'I don't expect there will be one, because we already saw with the predecessor of NIS2 - the WBNI - that the capacity for verification is limited.' This means that NIS2 compliance in healthcare will largely be measured through the already existing NEN framework.
The NEN standard is being updated to better align with NIS2. 'In the original planning, an update of the NEN 7510 standard was to come in the middle of 2024,' says Sleegers. 'But the NIS2 update will cause some delay, I expect.'
2. We are working toward NEN 7510 certification. What do we need to do to be ready for this?
The NEN 7510 framework - like many other frameworks - consists of two parts, says Van der Meij: 'The basis describes in general terms what your organization needs to look like, for example in the areas of governance, risk management and the Information Security Management System (ISMS). In addition, the framework contains specific standards that you, as an organization, must translate into concrete measures.'
Every organization is free to define the standards in their own way, Sleegers says. 'That is because a standard must be able to apply to an organization of 10 but also to a company of 1,000 employees. This means organizations choose what concrete measures they take to meet a standard based on what is appropriate.'
For example, for small healthcare institutions with a modest number of employees, access rights management can be completed with a brief authorization matrix and limited separation of roles and rights. A large institution with thousands of employees will have to keep a detailed overview of accounts, roles and rights for each system.
The basic assumption of the NEN standard that an employee must have a care relationship with the patient or client will therefore lead to more extensive and specific measures for a large institution than for a small institution.
Because every organization interprets the standards of NEN 7510 itself, it is difficult to give a general indication of when an organization is ready for certification. Still, there are points for attention, says Van der Meij: 'During an NEN 7510 implementation process, we often see that the ISMS is not completely complete. It also happens that the standards are not always translated correctly into concrete measures.'
Mario Sleegers
NIS2 consultant
Secura
NIS2 holds the board accountable for cybersecurity. This executive responsibility exists in virtually no other framework. We see that with NIS2 it has really shifted from the IT department to upper management.
3. We follow NEN 7510. What do we still need to do for NIS2?
An organization who can demonstrate compliance with NEN 7510, for example, through certification or an audit report, is already on the road to NIS2 compliance, say Sleegers and Van der Meij. Still, there are a few areas where additional measures are needed to comply with NIS2:
1 Management accountability and training requirements. NIS2 explicitly holds management responsible for cybersecurity. This is noteworthy, says Sleegers: 'This executive responsibility exists in almost no framework. We see that with NIS2 it has really shifted from the IT department to upper management: the board is expected to understand the organization's cyber risks and be able to approve corresponding measures.'
'In practice, of course, this is complex because most people on hospital boards are not experts in this area.' That's why NIS2 requires training and education of the board.
2 Risk management is going to weigh more heavily. One of the most important pillars of NIS2 is risk management. 'You see risk management reflected in NEN 7510, of course, but in NIS2 it carries much more weight,' says Van der Meij.
'Healthcare institutions will have to look more closely at their risk analyses. Internal audits will not only have to assess whether the measures from NEN 7510 have been implemented, but also whether a risk analysis has assessed whether new threats, such as ransomware attacks, are sufficiently controlled. If this is not the case, additional or more severe measures will have to be taken to meet the requirements of NIS2. A check mark will no longer be sufficient. I expect this will really become a point of focus, because NIS2 enforces it.'
3 Security management of suppliers is more important. NIS2 requires organizations to monitor the security of their suppliers. 'This is a fairly new development that you can also see, for example, in the automotive industry at the moment,' says Sleegers. 'But securing the entire supply chain takes a lot of effort and is a long-term issue.'
As a healthcare provider, how can you ensure that, for example, healthcare application suppliers pay enough attention to security? Sleegers: "The most obvious way to do that is through the contracts with these parties. To map the state of a vendor's security, a Vendor Assessment can help.
4 Incident reporting will be expanded. NIS2 imposes additional incident reporting requirements. Sleegers: 'In short, organizations must report more and faster. Especially the second point will require effort, because a report is preceded by many steps.'
Download the NIS2 Incident Flowchart
What does NIS2 ask of healthcare facilities when it comes to reporting cyber incidents? What do you need to report? What is the timeline? Mario Sleegers and his colleagues have listed the NIS2 reporting requirements in a convenient flow chart.
Download the NIS2 incident flowchart for healthcare (Dutch)
4. What if our organization complies with NEN 7510 but not with NIS2?
NIS2 distinguishes between 'essential' and 'important' entities, says Mario Sleegers. For 'essential' organizations, compliance oversight will be stricter: most healthcare organizations fall into this category. 'If an essential organization does not comply with NIS2, fines may follow,' he expects.
Van der Meij: 'You can compare the consequences with non-compliance with the privacy law GDPR. The Dutch Personal Data Authority fined the Haga hospital in The Hague in 2019 for insufficiently protecting patient data. But I don't expect a general practice to be fined.'
Why it's a good idea to comply with NIS2
NIS2 and NEN 7501 set requirements that are necessary to control cybersecurity risks. So it makes sense to implement these measures even if you do not necessarily have to comply, in the interest of robust, stable operations and privacy protection.
Articles 32 to 34 of NIS2 address oversight and possible fines for non-compliance. The maximum fine for essential entities is 10 million euros or 2% of annual turnover. For significant entities, the maximum is 7 million or 1.4% of annual turnover.
The Dutch Inspection for Healthcare will monitor compliance with NIS2 in the Dutch healthcare sector.
In practice, NIS2 will probably mean more emphasis on compliance with regulations around security, Van der Meij expects. So the tension between providing care and security will probably only increase. How can organizations resolve this? Sleegers advises, 'You could start by training the board so that they gain a better understanding of the area of tension. This allows them to actively contribute to solving this tension.'
Van der Meij also has practical advice: 'Don't panic! But do take action. For example, start with a risk analysis, as the Dutch government suggests. Our consultants can help you with this.'
How we can help you
Secura has a lot of NIS2 and NEN 7510 expertise. You can count on our experts to help you train your board with the NIS2 Boardroom Training. We can also help you with a NIS2 Gap Assessment and Implementation Support. Read more about our NIS2 services in the brochure below.
Contact me
Do you want to know more about how we can help you with NIS2? Fill out the form and we will contact you within 1 business day.
Why choose Secura | Bureau Veritas
At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.
Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.